Installation and Upgrade Guide for the Cisco Secure Access Control System 5.1
Upgrading the Cisco Secure Access Control System
Downloads: This chapterpdf (PDF - 235.0KB) The complete bookPDF (PDF - 5.76MB) | Feedback

Upgrading the Cisco Secure Access Control System

Table Of Contents

Upgrading the Cisco Secure Access Control System

Upgrading an ACS Deployment from 5.0 to 5.1

Upgrading the Log Collector Server

Upgrading the Secondary Servers

Upgrading the Primary Server

Upgrading the PKI Data

Promoting a Secondary Server to Primary

Upgrading the ACS Monitoring and Report Viewer

Restoring the Monitoring and Report Viewer Data After Upgrade

Upgrading the Database

Upgrading the Reports

Upgrading an ACS Server from 5.0 to 5.1

Upgrading an ACS Server Using an UpgradeDisk

Reimaging and Upgrading an ACS Server


Upgrading the Cisco Secure Access Control System


This chapter describes the procedure to upgrade an ACS deployment from 5.0 to 5.1 and to upgrade a single ACS server to ADE-OS 1.2 and ACS 5.1.

This chapter describes the following scenarios:

Upgrading an ACS Deployment from 5.0 to 5.1—Procedure to upgrade an ACS deployment from 5.0 to 5.1.

Upgrading the ACS Monitoring and Report Viewer—Processes involved in upgrading the ACS Monitoring and Report Viewer.

Upgrading an ACS Server from 5.0 to 5.1—Procedure for an incremental upgrade of an ACS server from 5.0 to 5.1.

Reimaging and Upgrading an ACS Server—Procedure to reimage an ACS 5.0 server and upgrade to 5.1.

The upgrade process involves upgrading an ACS server that includes the Monitoring and Report Viewer and the configuration information in the database.

During the upgrade process, ACS backs up the 5.0 configuration data, upgrades the ACS server to 5.1, and restores the data to ACS 5.1 server. As part of the restore operation, ACS converts the configuration data to a 5.1-compatible format.


Warning Syslog messages collected during the upgrade might not be available in the database after upgrade. For information on how to prevent this, refer to http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_system/5.1/release/notes/acs_51_rn.html#wp144669
.


ACS stores the information related to data upgrade in /opt/CSCOacs/logs/acsupgrade.log. To view the contents of this log file, use the show acs-logs CLI command. Also, refer to /var/log/ade/ADE.log, which logs the details of all the operations performed in ACS CLI.

If you are migrating your ACS from 4.x to 5.1, you must follow the migration procedure as described in the Migration Guide for the Cisco Secure Access Control System 5.1.


Note You must have a repository configured with an FTP, NFS, or SFTP network server (but not a TFTP repository) to perform the ACS upgrade. To create a repository, use the repository command. For more details about the commands used in this chapter, see the CLI Reference Guide for the Cisco Secure Access Control System 5.1.


Upgrading an ACS Deployment from 5.0 to 5.1

Follow the procedure described in this section to upgrade an ACS 5.0 deployment to 5.1.

The deployment upgrade process consists of the following phases and is illustrated in Figure 7-1:

Upgrading the Log Collector Server

Upgrading the Secondary Servers

Upgrading the Primary Server

Figure 7-1 Upgrading an ACS Deployment


Note ACS does not support interoperability between the ACS 5.0 and 5.1 deployments.


Usually in a deployment scenario of multiple servers, the ACS primary server functions as a master database for the configuration data, and a secondary server stores the monitoring and report data. There are some exceptions to this usual setup, which can be handled as described below:

If ACS 5.0 primary server also functions as a log collector in your 5.0 deployment, you should interchange the primary server for one of the secondary servers in the deployment. See Promoting a Secondary Server to Primary.

If your 5.0 deployment contains only two servers, you could skip the second step (upgrading the secondary servers) listed in the deployment upgrade process.

Upgrading the Log Collector Server

Initially, you need to upgrade the log collector server to ACS 5.1 and use this server as a common log collector between the ACS 5.0 and 5.1 deployments until the 5.1 upgrade for all the servers is complete.

You can upgrade a log collector node that functions as a secondary server. But, when your primary server also functions as the log collector, you must promote a secondary server to play the role of the primary for the 5.0 deployment, change the primary server to secondary, and upgrade the secondary server (the server that was changed from primary to secondary) to 5.1. To promote a secondary server as primary, see Promoting a Secondary Server to Primary.

To upgrade a log collector to 5.1:


Step 1 Back up the log collector data:

From the ACS CLI, issue the following acs backup command in the EXEC mode to perform a backup and place the backup in a repository:

acs backup backup-file-name repository repository-name

Step 2 Change the log collector configured on the primary server. You have to assign another secondary server in the 5.0 deployment as log collector and assign it to the primary server:

a. From the ACS web interface, select System Administration > Configuration > Log Configuration > Log Collector.

The Log Collector page appears.

b. From the Select Log Collector drop-down list box, choose a different secondary server to configure it as a log collector for your 5.0 deployment.

c. Click Set Log Collector.

Step 3 From the CLI of the newly-assigned log collector, issue the show application status acs command to verify that all of the ACS processes are running.

Step 4 Restore the log collector data from the backup repository to the new 5.0 log collector.

Issue the following acs restore command in the EXEC mode:

acs restore backup-file-name repository repository-name

Step 5 Deregister the old log collector server from the deployment and delete it from the ACS 5.0 primary, so that it is now a standalone server.

a. From the web interface of the ACS 5.0 primary server, select System Administration > Operations > Distributed System Management.

The Distributed System Management page appears.

b. From the Secondary Instances table, check the check box next to the secondary instance that you want to deregister.

c. Click Deregister.

The system displays the following message:

This operation will deregister the selected ACS Instance from the Primary Instance.

Do you wish to continue?

d. Click OK.

The ACS machine restarts.

e. Log in to the ACS 5.0 primary server.

f. Select System Administration > Operations > Distributed System Management.

g. From the Secondary Instances table, check the check box next to the deregistered secondary instance that you want to delete.

h. Click Delete.

The following message appears:

Are you sure you want to delete the selected item/items?

i. Click OK.

The Secondary Instances table on the Distributed System Management page appears without the deleted secondary instance.

Step 6 Upgrade the ACS server to 5.1. See Upgrading an ACS Server from 5.0 to 5.1.

Step 7 On the primary server of the 5.0 deployment, define a remote log target for the 5.1 log collector server:

a. Select System Administration > Configuration > Log Configuration > Remote Log Targets.

The Remote Log Targets page appears.

b. Click Create.

The Create page appears.

c. Enter the values for the following fields:

Name—The name of the remote log target. Maximum length is 32 characters.

Description—(Optional) A description of the remote log target. Maximum description length is 1024 characters.

Type—The type of remote log target. Syslog is the only option.

IP Address—IP address of the remote log target, in the format x.x.x.x. Specify the IP address of the 5.1 log collector server.

Use Advanced Syslog Options—Click to enable the advanced syslog options that include port number, facility code, and maximum length.

Port—The port number of the remote log target that is used as the communication channel between the ACS and the remote log target (default is 514). Enter 20514 for the port number.

Facility Code—(Optional) Choose an option from the Facility Code drop-down list box.

Maximum Length—The maximum length of the remote log target messages. Valid options are from 200 to 1024.

d. Click Submit.

The remote log target configuration is saved. The Remote Log Targets page appears with the new remote log target configuration.

Now, the authentication details from the 5.0 deployment are logged in both the 5.0 and 5.1 log collector servers.

Step 8 On the 5.0 primary server, configure the appropriate logging categories for the remote log target:

a. Select System Administration > Configuration > Log Configuration > Logging Categories > Global.

The Logging Categories page appears; from here, you can view the logging categories.

b. Click the name of the logging category you want to configure; or, click the radio button next to the name of the logging category you want to configure and click Edit.

c. In the General tab, complete the following fields:

Log Severity—Use the drop-down list box to select the severity level. Valid options are FATAL, ERROR, WARN, INFO, and DEBUG.

Log to Local Target—Check to enable logging to the local target.

Local Target is Critical—Check the check box to make this local target the critical target. Usable for accounting and for AAA audit (passed authentication) logging category types only.

d. Click the Remote Syslog Target tab and choose the Remote Targets to view the logs.

e. Click Submit.

The Logging Categories page appears, with your configured logging category.

When the ACS processes of the 5.1 log collector server are up and running, all the configuration data, monitoring and report data, and reports are upgraded.

Now the upgraded server functions as ACS 5.1 primary server as well as a log collector.


Upgrading the Secondary Servers

To upgrade each 5.0 secondary server in your deployment to 5.1:


Note To ensure that you preserve the local certificates of the secondary server, you should promote each secondary server to primary role and then perform the ACS 5.1 upgrade. See Upgrading the PKI Data.



Note Before upgrading a secondary ACS server, ensure that the server is not inactive and it is not in local mode. To verify the status, from the web interface of the secondary server, select System Administration > Operations > Local Operations > Join a Distributed System and check the status of the secondary ACS server.



Step 1 Verify if the secondary server is a log collector. If yes, change the log collector server to the primary server or any other secondary server; otherwise, proceed to Step 2.

a. From the 5.0 primary server, select System Administration > Configuration > Log Configuration > Log Collector.

ACS displays the current log collector server.

b. From the Select Log Collector drop-down list box, choose a different server to configure it as a log collector.

c. Click Set Log Collector.

Step 2 Deregister the secondary server from the 5.0 deployment and delete it from the ACS 5.0 primary server, so that it now becomes a standalone server:

a. Select System Administration > Operations > Distributed System Management.

The Distributed System Management page appears.

b. From the Secondary Instances table, check the check box next to the secondary instance that you want to deregister.

c. Click Deregister.

The system displays the following message:

This operation will deregister the selected ACS Instance from the Primary Instance.

Do you wish to continue?

d. Click OK.

The ACS machine restarts.

e. Log in to the ACS 5.0 primary server.

f. Select System Administration > Operations > Distributed System Management.

g. From the Secondary Instances table, check the check box next to the secondary instance that you want to delete.

h. Click Delete.

The following message appears:

Are you sure you want to delete the selected item/items?

i. Click OK.

The Secondary Instances table on the Distributed System Management page appears without the deleted secondary instance.

Step 3 Back up the secondary server data.

From the ACS CLI, issue the following backup command in the EXEC mode to perform a backup and place the backup in a repository:

backup backup-name repository repository-name

Step 4 Upgrade the ACS server to 5.1. See Upgrading an ACS Server from 5.0 to 5.1.

Step 5 Register the secondary server to the ACS 5.1 primary server.

a. Select System Administration > Operations > Local Operations > Deployment Operations.

The Deployment Operation page appears.

b. Complete the following mandatory fields under Registration dialog box:

Primary Instance—The hostname of the 5.1 primary server that you wish to register the secondary instance with.

Admin Username—Username of an administrator account.

Admin Password—The password for the administrator account.

Hardware Replacement—Check to enable the existing ACS instance to re-register with the primary instance and get a copy of the configuration already present in the primary instance.

Recovery Keyword—Specify the same hostname that was used in the 5.0 deployment to ensure that you associate this secondary server with the monitoring and report data collected earlier. After you submit this information, this instance connects to the primary instance. The primary instance finds the associated ACS instance records based on the keyword, and marks each record as registered.

c. Click Register to Primary.

The system displays the following message:

This operation will register this ACS Instance as a secondary to the specified Primary 
Instance. ACS will be restarted. You will be required to login again. Do you wish to 
continue?

d. Click OK.


Note When you register a secondary to a primary instance, you can use any account created on the primary instance. The credentials that you create on the primary instance are replicated to the secondary instance.


e. Log in to the ACS secondary server after restart.

After the registration is complete, ACS performs a full synchronization and sends the ACS 5.1 configuration data to the 5.1 secondary server.


Upgrading the Primary Server

To upgrade the primary server from a 5.0 to 5.1 deployment:


Step 1 Back up the primary server data.

To do this, from the ACS CLI, issue the following backup command in the EXEC mode to perform a backup and place the backup in a repository:

backup backup-name repository repository-name

Step 2 Make sure the primary server is a standalone server:

a. Select System Administration > Operations > Distributed System Management.

The Distributed System Management page appears.

b. Check if there are secondary servers listed in the Secondary Instances table. If there are any secondary servers, upgrade those servers before upgrading the 5.0 primary server. See Upgrading the Secondary Servers.

Step 3 Upgrade the ACS server to 5.1. See Upgrading an ACS Server from 5.0 to 5.1.

Step 4 Register the server to the Primary ACS 5.1:

a. Select System Administration > Operations > Local Operations > Deployment Operations.

The Deployment Operation page appears.

b. Complete the following mandatory fields under Registration dialog box:

Primary Instance—The hostname of the primary server that you wish to register the secondary instance with.

Admin Username—Username of an administrator account.

Admin Password—The password for the administrator account.

Hardware Replacement—Check to enable the existing ACS instance with re-register to the primary instance and get a copy of the configuration already present in the primary instance.

Recovery Keyword—Specify the same hostname as was used in the 5.0 deployment to ensure that you associate this server with the monitoring and report data collected earlier. After you submit this information, this instance connects to the primary instance. The primary instance finds the associated ACS instance records based on the keyword, and marks each record as registered.

c. Click Register to Primary.

The system displays the following message:

This operation will register this ACS Instance as a secondary to the specified Primary 
Instance. ACS will be restarted. You will be required to login again. Do you wish to 
continue?

d. Click OK.


Note When you register a secondary to a primary instance, you can use any account created on the primary instance. The credentials that you create on the primary instance are replicated to the secondary instance.


e. Log in to the ACS server after restart.

Step 5 Promote this instance as the ACS 5.1 primary again. See Promoting a Secondary Server to Primary.


Note Perform Step 4 only when you have a secondary server functioning as an ACS 5.1 primary server or when you want the log collector node to be a secondary server.



Upgrading the PKI Data

During the upgrade process, ACS converts the Public Key Infrastructure (PKI) credentials of the primary server to a 5.1-compatible format. ACS stores the PKI credentials, the private keys of the local certificates, and the outstanding signing requests of the primary server in a file system rather than a database.

To preserve the local certificates of the secondary servers, you should promote each secondary server to primary and then perform the ACS 5.1 upgrade. See Promoting a Secondary Server to Primary.

Promoting a Secondary Server to Primary

To promote a secondary server to primary:


Step 1 From the web interface of the primary server, select System Administration > Operations > Distributed System Management.

The Distributed System Management page appears.

Step 2 In the Secondary Instances table, check the check box next to the secondary server that you want to promote to primary.

Step 3 Click Promote.

The system displays the following message:

This operation will promote the selected ACS Instance to become the new Primary Instance. 
As a consequence, the current Primary Instance will be demoted to a Secondary.

Do you wish to continue?

Step 4 Click OK.

The system promotes the selected secondary server to primary, moves it to the Primary Instance table, and the existing primary server will be automatically moved to the Secondary Instances table.

When the registration completes, ACS performs a full synchronization and sends the ACS 5.1 configuration data to the newly promoted primary server.


Upgrading the ACS Monitoring and Report Viewer

ACS invokes the upgrade of the Monitoring and Report Viewer as a subtask during upgrade.


Note The ACS Monitoring and Report Viewer upgrade process might take a minimum of 1 hour to many hours depending on your ACS backup data.


You can also manually back up the 5.0 data prior to upgrade and restore if any data loss occurs during the upgrade. The maximum disk space available for ACS Monitoring and Report Viewer is 150 GB.

To check the status of the database upgrade, in the Monitoring and Report Viewer, select Monitoring Configuration > System Operations > Data Upgrade Status.

When the database upgrade completes, ACS displays the following message:

The View database conversion is complete.

After the data upgrade is complete, click Switch Database.

ACS displays the following message:

ACS Web Server will restart. Your current session will be destroyed. Do you want to 
continue?

Click OK.

ACS stops all ACS processes and restarts the processes automatically.

Restoring the Monitoring and Report Viewer Data After Upgrade

When you restore the backup data after upgrading to 5.1, ACS automatically synchronizes the changes with the database and reports, if any changes are found.

Upgrading the Database

After the 5.1 upgrade, if you restore the backup made prior to the upgrade, ACS displays the database version as AVPair:DBVersion=5.0 and maintains the schema version as 5.0 in the av_system_settings table. When the database process restarts, ACS checks the ACS version and the database version if they are out-of-date and performs a schema and data upgrade.

Upgrading the Reports

After you upgrade to 5.1, if you restore the backup made prior to the upgrade, ACS checks if the reports tag displays "View 5.0" and when the web process starts up, ACS performs the necessary updates.


Note When you click Switch Database, the logs that are generated after performing the Step 7 (upgrading database schema to version 5.1) of the log collector server upgrade will be lost. ACS retains only the logs that are generated before you perform Step 7.


Upgrading an ACS Server from 5.0 to 5.1

Initially, you must upgrade the ADE-OS version to 1.2 and then upgrade ACS to 5.1. ACS allows you to perform this upgrade procedure remotely through CLI.


Note Before upgrading an ACS server, ensure that the server is a standalone server and obtain a backup of the ACS 5.0 configuration.


Before you begin the upgrade, log in to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml and download the software listed in Table 7-1.

Table 7-1 lists a set of software that you need for upgrading an ACS server from 5.0 to 5.1.

Table 7-1 Software Required for Upgrading from ACS 5.0 to ACS 5.1

Software
Location

ACS 5.0 patch (patch 9 or the latest ACS 5.0 patch)

From the Cisco Software Download Site, navigate to Security > Identity Management > Cisco Secure Access Control System > Cisco Secure Access Control System 5.0.

ADE-OS version 1.2

From the Cisco Software Download Site, navigate to Security > Identity Management > Cisco Secure Access Control System > Cisco Secure Access Control System 5.1.

Note You can alternatively copy the ADE-OS version 1.2 software from the Upgrade and Migration DVD that shipped with your appliance.

ACS 5.1 upgrade image

From the Cisco Software Download Site, navigate to Security > Identity Management > Cisco Secure Access Control System > Cisco Secure Access Control System 5.1.

Note You can alternatively copy the ACS 5.1 upgrade image from the Upgrade and Migration DVD that shipped with your appliance.


To upgrade an ACS server:


Step 1 Install the ACS 5.0 patch:

Issue the following acs patch command in the EXEC mode to install the ACS patch:

acs patch install patch-name.tar.gpg repository repository-name

ACS displays the following confirmation message:

Installing an ACS patch requires a restart of ACS services.
Would you like to continue? yes/no

Enter yes.

Step 2 Upgrade the ADE-OS version:

a. Issue the following acs patch command in the EXEC mode to install the ADE-OS 1.2:

acs patch install patch-name.tar.gpg repository repository-name


Note ADE-OS supports a local cdrom repository as well.


ACS displays the following confirmation message:

Installing an ACS patch requires a restart of ACS services.
Would you like to continue? yes/no

b. Enter yes.

ACS upgrades the ADE-OS version and stores the upgrade details in /opt/CSCOacs/logs/acsupgrade.log.

c. Issue the show version command and verify if the ADE-OS is upgraded to 1.2 version as shown below:

ADE-OS Build Version: 1.2.0.146


Note If you skip Step 1 or proceed to Step 2 before completing the Step 1, ACS does not perform the upgrade and it reboots the ACS server.


Step 3 Place the ACS 5.1 upgrade image in a remote repository and upgrade ACS to 5.1:

a. Issue the following application upgrade command in the EXEC mode to upgrade ACS.

application upgrade application-bundle remote-repository-name

ACS displays the following confirmation message:

Do you want to save the current configuration ? (yes/no) [yes] ? 


Caution When the ACS upgrade is in progress, ensure that you do not perform any ACS operations including the operations from the CLI. However, you can use the CLI Commands to view the system status or logs.

b. Enter yes.

When the ACS upgrade is complete, the following message appears:

Application upgrade successful.


Note The upgrade process takes time to complete depending on your ACS database size. This process also includes backing up of the database to the local repository.



Note If you do not find the ACS services started a couple of hours after the upgrade is complete, check the /opt/CSCOacs/logs/acsupgrade.log to ensure that the application upgrade is successful.


When the application upgrade is complete, ACS automatically restarts and begins to convert and upgrade the ACS 5.0 Monitoring and Report Viewer data to the 5.1 format.

Step 4 Open a new SSH connection for the ACS 5.1 CLI commands to take effect.

Step 5 To monitor the status of the data upgrade, from the Monitoring and Report Viewer, choose Monitoring Configuration > System Operations > Data Upgrade Status.

The Data Upgrade Status page appears with the following information:

Progress—Indicates the progress of the Monitoring and Report Viewer data upgrade.

Status—Indicates whether the Monitoring and Report Viewer data upgrade is complete or not. ACS displays the following message when the upgrade is complete:

The View database conversion is complete.

Step 6 After the data upgrade status is complete, click Switch Database.


Note ACS completes the Monitoring and Report Viewer upgrade only after you perform Switch Database operation.


ACS displays the following message:

ACS Web Server will restart. Your current session will be destroyed. Do you want to
continue?

Click OK.

ACS stops all ACS processes and restarts the processes automatically.

Step 7 Issue the show application version acs command and check if the upgrade is successful.



Note The ACS upgrade process automatically backs up the ACS configuration data and stores it in the acs-upgrade-repo repository with the name "acs-auto-upgrade-backup-xxx", where xxx is the timestamp of the backup copy stored in the repository. You can restore this configuration data using the restore command.


ACS 5.1 does not support NAC RADIUS and therefore, during the upgrade of ACS to 5.1, the upgrade process removes the NAC RADIUS attributes and external policies that include the following:

External Policy Check option in Access Service

Relevant Access Service Templates from database

NAC-related custom conditions

Marks NAC-related system attributes as not available for policy

Alternatively, you can also perform the ACS upgrade by Reimaging and Upgrading an ACS Server.

Upgrading an ACS Server Using an UpgradeDisk

You can upgrade the ACS Server by using the UpgradeDisk. To upgrade using the UpgradeDisk:


Step 1 Enter the following comands to configure the repository which directs to the directory inside UpgradeDisk:

# configure terminal

(config)# repository Disk

(config-Repository)# url cdrom:/[directory inside the cdrom]

(config-Repository)# exit

(config)# exit

Step 2 Start the upgrade process by executing the following command:

# application upgrade acs.tar.gz Disk


Reimaging and Upgrading an ACS Server

This section describes the steps to back up the ADE-OS and ACS configuration data, reimage ACS, and restore the backup data.

You must have physical access to the ACS box to perform this upgrade procedure.

To upgrade an ACS server using the recovery DVD:


Step 1 Back up the ADE-OS and ACS configuration data from the ACS 5.0 server:


Note Ensure that you use a nonlocal repository for the ACS 5.0 data backup. Otherwise, you might lose the configuration data after you install 5.1.


Issue the following backup command in the EXEC mode to perform a backup and place the backup in a repository.

backup backup-name repository repository-name

Step 2 Perform Reimaging the ACS Server, page 5-6.

ACS upgrades the ADE-OS to 1.2 and ACS to 5.1.

Step 3 Restore the ADE-OS and ACS configuration data to the ACS 5.1 server:

Issue the restore command in the EXEC mode to restore the backup taken earlier:

restore filename repository repository-name

While ACS restores the 5.0 configuration data, it begins to convert and upgrade the ACS 5.0 Monitoring and Report Viewer data to the 5.1 format.

Step 4 To monitor the status of the data upgrade, from the Monitoring and Report Viewer, choose Monitoring Configuration > System Operations > Data Upgrade Status.

The Data Upgrade Status page appears with the following information:

Progress—Indicates the progress of the Monitoring and Report Viewer data upgrade.

Status—Indicates whether the Monitoring and Report Viewer data upgrade is complete or not. ACS displays the following message when the upgrade is complete:

The View database conversion is complete.

Step 5 After the data upgrade status is complete, click Switch Database.


Note ACS completes the Monitoring and Report Viewer upgrade only after you perform the Switch Database operation.


ACS displays the following message:

ACS Web Server will restart. Your current session will be destroyed. Do you want to
continue?

Click OK.

ACS stops all ACS processes and restarts the processes automatically.


Refer to Upgrading an ACS Server from 5.0 to 5.1 for another method of upgrading an ACS server.